The ICO exists to empower you through information.

Your data protection rights

Share

Data protection law gives you some rights over how your personal information is used. This means you can ask for a copy of your information, or for it to be changed or deleted. You can also object to how your information is being used, or ask for it to be transferred to another organisation. 

You can exercise these rights by contacting the organisation directly. Where the organisation doesn’t comply with your request, they’ll need to justify their decision. 

An organisation has one month to respond to your request. In certain circumstances it may need extra time to consider your request and can take up to an extra two months. If it’s going to do this, it should let you know within one month that it needs more time and why. For more on this, see our guidance on Time Limits.

The organisation might need you to prove your identity. However, they should only ask you for just enough information to be sure you are the right person. If they do this, then the one-month time period to respond to your request begins from when they receive this additional information.

An organisation can only charge a fee if it thinks the request is “manifestly unfounded or excessive”. If so, it may ask for a reasonable fee for administrative costs associated with the request. 

You can learn more about your data protection rights by following the below links.

Your right of access
Your right to rectification
Your right to erasure
Your right to restriction of processing
Your right to object
Your right to data portability
Your right to withdraw consent

Your right of access 

You have the right to ask an organisation if they're using or storing your personal information. You can also ask them for copies of your personal information.

This is called the right of access and is also known as making a subject access request, a SAR or a DSAR.

Anyone can make a SAR. You don’t need a solicitor or a lawyer.

Organisations usually have one month to respond to a SAR.

What should I include in a SAR?

We suggest you include the following information in a SAR:

  • a subject line or header that says "subject access request";
  • the date you’re making the request;
  • your name (and any other names where relevant, eg your name before you were married);
  • your email address, home address and phone number;
  • customer account numbers, NHS number, employee number, product number or similar information that can help identify you;
  • what personal information you want (be specific about the information you’re asking for, and where relevant say what information you don’t need);
  • details or dates that will help the organisation find the information you want;
  • the reason you want the information (you don't have to include this but it will help the organisation find what you need); and
  • how you would like to receive the information (eg electronically or printed and sent by post) and if you have any accessibility requirements (eg large fonts).

Can I ask for all the information the organisation holds about me?

Yes. You can ask for all the information an organisation holds about you. However, this doesn’t mean you will get all the information they have about you. An organisation can sometimes refuse to provide you with all or some of the information.

It might also mean you get a lot of information back that you don't need. Sometimes, the organisation is allowed to take longer to send it as well.

When asking for information, be as specific as possible. This may help you to get the fastest possible reply and more useful information back.

How do I send my subject access request?

The easiest ways to make a SAR include:

  • Online - many organisations let you submit SARs through their website. If you do this, you should take a screenshot of your request for your records before you press submit.
  • Email - use our SAR service to create and send an email request to an organisation or contact the organisation directly.

You can also make requests by post, over the phone or face to face. If you do this, make sure to keep records of when you made your request and who you spoke to, where relevant.

Tip: You can usually find suitable contact information for people who deal with SARs on an organisation’s privacy notice or on their website.

Can I make a SAR for someone else?

Yes. You can make a SAR for someone else if you can prove you have the person's permission to get the information for them.

When you submit a request for someone else, the organisation will ask for proof such as:

  • written permission from the person; or
  • a power of attorney document.

They don't have to give you the information you ask for, if they are not happy you have permission to receive it. 

If you are letting someone make a SAR for you, think – are you happy for that person to get some or all of your personal information?

 They could gain access to information that you don’t want to share with them, such as your medical history.

What to do if the organisation does not respond or you are dissatisfied with the outcome

If you are unhappy with how the organisation has handled your request, you should first complain to it.

Having done so, if you remain dissatisfied you can make a complaint to the ICO.

You can also seek to enforce your rights through the courts. If you decide to do this, we strongly advise that you seek independent legal advice first.

Your right to rectification 

You can challenge the accuracy of personal information held about you by an organisation, and ask for it to be corrected or deleted. This is known as the ‘right to rectification’. If your data is incomplete, you can ask for the organisation to complete it by adding more details.

How to get your data corrected

To exercise your right you should inform the organisation that you are challenging the accuracy of your data and want it corrected. You should:

  • state clearly what you believe is inaccurate or incomplete
  • explain how the organisation should correct it, and
  • where available, provide evidence of the inaccuracies.

A request can be verbal or in writing. We recommend you follow up any verbal request in writing because this will allow you to explain your complaint, give evidence and state your desired solution. It will also provide clear proof of your actions if you decide to challenge the organisation’s initial response. 

What about data that records a mistake?

It can be complex to decide whether data is inaccurate if it refers to a mistake that has then been put right. An organisation could argue that the fact the mistake was made is an accurate thing to record, so it should record the mistake alongside the correct data.

Example

A doctor finds that a patient has a particular illness and notes it in their medical records. Sometime later, this diagnosis is found to be wrong. It is likely that the medical records should include both the initial diagnosis and the final findings because this gives an accurate record of the patient’s medical treatment. As long as the medical record contains the up-to-date findings, and this is made clear in the record, it would be difficult to argue that the record is inaccurate and should be corrected.

What about data that records an opinion?

It is also complex if the data in question records an opinion. Opinions are, by nature, subjective. As long as the record is clear that the data is an opinion and, where appropriate, whose opinion it is, it can be difficult to maintain it is inaccurate and needs to be corrected.

What organisations should do

When an organisation is asked to correct data, it should take reasonable steps to investigate whether the data is accurate, and should be able to demonstrate it has done so. To do this it should consider your arguments and any evidence you provide.

The organisation should then contact you and either:

  • confirm it has corrected, deleted or added to the data, or
  • inform you it will not correct the data, and explain why it believes the data is accurate.

If the organisation refuses to correct the data, as a matter of good practice it should record that you have challenged the data’s accuracy and why.

If the organisation has disclosed the data to others, it must contact them and tell them the data has been corrected or completed – unless this is impossible or involves a disproportionate effort. When asked, the organisation must inform you which recipients have received the data.

When else can the organisation say no?

The organisation can refuse to comply with a request for rectification if it believes that the request is what the law calls “manifestly unfounded or excessive”. In reaching this decision, it can take into account whether the request is repetitive.

In such circumstances the organisation can: 

  • request a reasonable fee to deal with the request, or
  • refuse to deal with the request.

In either case it will need to tell you and justify its decision.

What to do if the organisation does not respond or you are dissatisfied with the outcome

If you are unhappy with how the organisation has handled your request, you should first complain to it.

Having done so, if you remain dissatisfied you can make a complaint to the ICO.

You can also seek to enforce your rights through the courts. If you decide to do this, we strongly advise that you seek independent legal advice first.

Your right to erasure

What is the right to get your data deleted?

The right to get your data deleted is also known as the ‘right to erasure’. You can ask an organisation that holds data about you to delete that data. In some circumstances, they must then do so. You may sometimes hear this called the ‘right to be forgotten’.

When can I ask for my data to be deleted?

The right only applies in the following circumstances:

  • The organisation no longer needs your data for the original reason they collected or used it for.

After you have cancelled your gym membership, the gym no longer needs to keep details of your name, address, age and health conditions.

 

  • You initially consented to the organisation using your data, but have now withdrawn your consent.

You agreed to take part in a market research study and now don’t want to.

 

  • You have objected to the use of your data, and your interests outweigh those of the organisation using it.
  • You have objected to the use of your data for direct marketing purposes.

For more information on the right to object, read ‘Your right to object to how your data is used’.

  • The organisation has collected or used your data unlawfully.

It hasn’t complied with the rules on data protection.

 

  • The organisation has a legal obligation to erase your data.
  • The data was collected from you as a child for an online service.

You used social media or a gaming app as a child.


The law gives children special protection, especially online, because they may be less aware of the risks and consequences of giving their data to organisations. Even if you are now an adult, you have a right to have your data erased if it was collected from you as a child.

For more about this, see our guidance on Children’s rights.

How do I ask for my data to be deleted?

You should contact the organisation and let them know what personal information you want them to erase. You don’t have to ask a specific person – you can contact any part of the organisation with your request.

You can make your request verbally or in writing. We recommend you follow up any verbal request in writing because this will allow you to explain your complaint, give evidence and explain what you want to happen. You will also have clear proof of your actions, if you decide to challenge the organisation’s response. 

There are no specific words that you must use, but you may find it useful to use the template below to help you exercise your right to erasure. 

[Your full address]
[Your phone number]
[The date]
 

[Name and address of the organisation]
[Reference number (if provided within the initial response)]

Dear [Sir or Madam / name of the person you have been in contact with]

Right to erasure

[Your full name and address and any other details such as account number to help identify you]

I wish to exercise my right of erasure under data protection law.

[Give details of what personal information you want erased/deleted.]

You can find guidance on your obligations under information rights legislation on the website of the Information Commissioner’s Office (www.ico.org.uk) as well as information on their regulatory powers and the action they can take.

Please send a full response within one calendar month confirming if you will comply with my request. If you cannot respond within that timescale, please tell me when you will be able to respond.

If there is anything you would like to discuss, please contact me.

Yours faithfully
[Signature]

What should the organisation do?

The organisation should delete your data, unless an exemption in data protection law applies.

They should also tell anyone else they have shared your data with about the erasure. They can only refuse to do this if it would be impossible or involve disproportionate effort. If you ask, they must also tell you that they have shared your data with other organisations.

If your data has been made public online – such as on social networks, forums or websites – then the organisation must take reasonable steps to inform the people with responsibility for these sites to erase links or copies of that data.

When can the organisation say no?

The organisation can refuse to erase your data in the following circumstances:

  • When keeping your data is necessary for reasons of freedom of expression and information (this includes journalism and academic, artistic and literary purposes).
  • When the organisation is legally obliged to keep hold of your data such as to comply with financial or other regulations.                                   
  • When the organisation is carrying out a task in the public interest or when exercising their official authority.
  • When keeping your data is necessary for establishing, exercising or defending legal claims.
  • When erasing your data would prejudice scientific or historical research, or archiving that is in the public interest.

Also, the right to erasure does not apply to special category data in the following circumstances:

  • When keeping hold of your data is necessary for reasons of public health in the public interest.
  • When keeping your data is necessary for the purposes of preventative or occupational medicine; for the assessment of the working capacity of the employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services. This only applies if the data is being used by or under the responsibility of a professional who is under a legal obligation of professional secrecy, such as a health professional.

If an exemption applies, the organisation can either fully or partly refuse to comply with your request.

The organisation can also refuse your request if it is, as the law states, ‘manifestly unfounded or excessive’.

There is no set definition of what makes a request ‘manifestly unfounded or excessive’. It depends on the particular circumstances of your request. For example, an organisation may consider a request to be ‘manifestly unfounded or excessive’ if it is clear that it has been made with no real purpose except to cause the organisation harassment or disruption.

In such circumstances the organisation can:

  • request a reasonable fee to deal with the request; or
  • refuse to deal with the request.

In either case they will need to tell you and justify their decision.

If, having considered your request, the organisation decides it does not need to erase your data, they must still respond to you. They should explain why they believe they don’t have to erase your data, and let you know about your right to complain about this decision to the ICO, or through the courts.

What to do if the organisation does not respond or you are dissatisfied with the outcome

If you are unhappy with how the organisation has handled your request, you should first raise a complaint with them and give them the opportunity to resolve the matter

Having done so, if you remain dissatisfied you can make a complaint to the ICO.

You can also seek to enforce your rights through the courts. If you decide to do this, we strongly advise you to seek independent legal advice first.

Your right to restriction of processing 

You can ask organisations to limit the ways they can use your personal information, including asking them not to delete it. This is known as the ‘right to restriction’. Organisations only need to comply with your request in certain circumstances, and they may only need to apply a temporary restriction.

This right is closely linked to your rights to challenge the accuracy of your data and to object to its use

How you can ask an organisation to restrict the use of your data

To exercise your right to restriction, you should:

  • make your request directly to the organisation, and
  • say what data you want restricted and why.

If you want to, you can make a request for restriction at the same time as you raise another objection.

A request can be verbal or in writing. We recommend you follow up any verbal request in writing because this will allow you to explain your complaint, give evidence and state your desired solution. It will also provide clear proof of your actions if you decide to challenge the organisation’s initial response.

When you can ask an organisation to restrict the use of your data

You can ask organisations to temporarily limit the use of your data when they are considering:

  • a challenge you have made to the accuracy of your data, or
  • an objection you have made to the use of your data.

You may also ask an organisation to limit the use of your data rather than delete it if:

  • the organisation processed your data unlawfully but you do not want it deleted, or
  • the organisation no longer needs your data but you want the organisation to keep it in order to create, exercise or defend legal claims. 

What should organisations do?

The organisation must take appropriate steps to restrict the use of your data. These could include:

  • temporarily moving your data to another system
  • making it unavailable to users, or
  • temporarily removing it from a website, if it has been published.

If the organisation has shared the data with others, it must contact each recipient and inform them of the restriction – unless this is impossible or involves a disproportionate effort. It must also inform you about these recipients if you ask.

When can an organisation use restricted data?

The organisation should store the restricted data securely and should not use the data unless:

  • it has your consent to do so
  • the data is needed for legal claims
  • its use is to protect another person’s rights, or
  • its use is for reasons of important public interest.

Once the organisation has investigated your complaint, it may decide to lift the restriction and continue using your data. You should be informed before the restriction is lifted.

When can the organisation say no?

If it believes that a request is, as the law states, “manifestly unfounded or excessive”, an organisation can: 

  • request a reasonable fee to deal with the request, or
  • refuse to deal with the request.

 In either case it will need to tell you and justify its decision.

What to do if the organisation does not respond or you are dissatisfied with the outcome

If you are unhappy with how the organisation has handled your request, you should first complain to it.

Having done so, if you remain dissatisfied you can make a complaint to the ICO.

You can also seek to enforce your rights through the courts. If you decide to do this, we strongly advise you to seek independent legal advice first.

Your right to object

What is the right to object?

You have the right to object to an organisation processing (using) your personal information at any time. This effectively means that you can stop or prevent the organisation from using your data. However it only applies in certain circumstances, and they may not need to stop if the organisation can give strong and legitimate reasons to continue using your data.

When can I object?

You can only object to processing when the organisation is using your data:

  • for a task carried out in the public interest;
  • for the exercise of official authority;
  • for their legitimate interests;
  • for scientific or historical research, or statistical purposes; or
  • for direct marketing purposes.

Can I object to direct marketing?

Yes. The right to object to direct marketing is stronger than any objections you can make about other uses of your data.

If you object, the organisation cannot refuse your objection and must stop using your data for direct marketing purposes. For example, they cannot carry on using your data to try to sell or promote things to you.

However, this does not automatically mean that the organisation needs to erase all your personal information. They may put you on their ‘suppression list’ – this is their list of people who have said that they don’t want their data used for direct marketing purposes. Having a suppression list means that if the organisation buys any new direct marketing lists they can check against it to make sure they don’t use your data for direct marketing when you have asked them not to.

How do I exercise my right to object?

If you’re able to object, you should inform the organisation directly that you don’t want them to process your data. You need to explain why you believe the organisation should stop using your data in this way.

You can make your request verbally or in writing. We recommend you follow up any verbal request in writing because this will allow you to explain your complaint, give evidence and state what you want to happen. You will also have clear proof of your actions, if you decide to challenge the organisation’s response.

There are no specific words that you must use, but you may find it useful to use the template below to help you exercise your right to object.

[Your full address]
[Your phone number]
[The date]

[Name and address of the organisation]
[Reference number (if provided within the initial response)]

Dear [Sir or Madam / name of the person you have been in contact with]

Right to object

[Your full name and address and any other details such as account number to help identify you]

I wish to exercise my right under data protection law to object to the processing of my personal information.

[Give details of what use of your personal information you are objecting to, explaining clearly and simply the specific reasons why you are objecting.]

You can find guidance on your obligations under information rights legislation on the Information Commissioner’s Office website (www.ico.org.uk) as well as information on their regulatory powers and the action they can take.

Please send a full response within one calendar month confirming if you will comply with my request. If you cannot respond within that timescale, please tell me when you will be able to respond.

If there is anything you would like to discuss, please contact me.

Yours faithfully
[Signature]

What must the organisation do?

If your objection is successful, the organisation must stop or not begin processing your personal information for that use. However, they may still be able to legitimately continue using your data for other purposes.

If you have objected to the organisation using your personal information for direct marketing then they must stop using your data for these purposes.

When can the organisation say no?

If you have objected to direct marketing the organisation cannot say no. However, if you have objected about other uses, they can refuse to comply with your objection, but only if they can prove they have a strong reason to continue processing your data that overrides your objection. They can also refuse if they can prove that they are using your data for a legal claim.

They should tell you the result of your objection.

Data protection law also contains exemptions. If an exemption applies, the organisation can either fully or partly refuse to comply with your request.

The organisation can also refuse to comply if they believe that your objection is, as the law states, ‘manifestly unfounded or excessive’.

There is no set definition of what makes a request ‘manifestly unfounded or excessive’. It will depend on the particular circumstances of your request. As an example, an organisation may consider a request to be ‘manifestly unfounded or excessive’ when it is clear that it has been made with no real purpose except to cause them harassment or disruption to the organisation.

In such circumstances the organisation can:

  • request a reasonable fee to deal with the request; or
  • refuse to deal with the objection.

In either case it will need to tell you and justify its decision.

If, having considered your request, the organisation decides it does not need to stop or not to begin processing your data, it must still respond to you. It should explain to you why it believes it does not have to comply, and let you know about your right to complain about this decision to the ICO, or through the courts.

How long should the organisation take?

The organisation has one month to respond to your objection. In certain circumstances it may need extra time to consider your case and can take up to an extra two months. If it is going to do this, it should let you know within one month that it needs more time and why. For more on this, see our guidance on time limits.

Can it charge a fee for this?

An organisation can only charge a fee if the objection is ‘manifestly unfounded or excessive’. It may then ask for a reasonable fee to cover administrative costs associated with your objection.

What to do if the organisation does not respond or you are dissatisfied with the outcome

If you are unhappy with how the organisation has handled your request, you should first raise a complaint with them and give them the opportunity to resolve the matter

Having done so, if you remain dissatisfied you can make a complaint to the ICO

You can also seek to enforce your rights through the courts. If you decide to do this, we strongly advise you to seek independent legal advice first.

Your right to data portability

You have the right to get your personal information from an organisation in a way that is accessible and machine-readable, for example as a csv file.

You also have the right to ask an organisation to transfer your data to another organisation. They must do this if the transfer is, as the regulation says, “technically feasible”.

This is known as the right to data portability.

What kind of data this right relates to

This right is similar to your right of access but there are some differences. Specifically, the right only applies to data that:

  • is held electronically, and
  • you have provided to the organisation.

Data you have provided does not just mean information you have typed in, such as a username or email address. It may include data the organisation has gathered from monitoring your activities when you have used a device or service. This may include:

  • website or search usage history
  • traffic and location data, or
  • ‘raw’ data processed by connected objects such as smart meters and wearable devices. An example of this could be data recorded on a fitness app.

How to ask an organisation to give you your data or transfer it

To exercise your right to portability you should:

  • make your request directly to the organisation,
  • state what you want.

A request can be verbal or in writing. We recommend you follow up any verbal request in writing because this will allow you to explain your complaint, give evidence and state your desired solution. It will also provide clear proof of your actions if you decide to challenge the organisation’s initial response.

When to make a portability request

You can make a portability request at any time to any organisation that:

  • relies on your consent to use your personal information, or
  • uses your data as part of a contract you have with them.

The organisation’s privacy notice will tell you more about why it is using your data.

What organisations should do

The organisation must provide a copy of the requested data in a commonly used and machine-readable format, such as a csv file. The organisation may also allow you to access the data yourself through an automated tool.

Depending on what you have requested, the organisation should send the data to you or to an organisation you have identified. Before doing this, the organisation may need to confirm your identity.

The organisation may not automatically delete your data after giving it you or sending it to another organisation. So if you want your data to be deleted, you may need to exercise your right to erasure.

When can the organisation say no?

If the organisation believes that a request is, as the law states, “manifestly unfounded or excessive”, it can:

  • request a reasonable fee to deal with the request, or
  • refuse to deal with the request.

In reaching this decision, it can take into account whether the request is repetitive. In either case it will need to tell you and justify its decision.

What to do if the organisation does not respond or you are dissatisfied with the outcome

If you are unhappy with how the organisation has handled your request, you should first complain to it

Having done so, if you remain dissatisfied you can make a complaint to the ICO.

You can also seek to enforce your rights through the courts. If you decide to do this, we strongly advise you to seek independent legal advice first.

Your right to withdraw consent

You have the right to withdraw your consent to the processing of your personal information. Data protection law says that you must be able to opt out at any time that you choose, on your own initiative and without suffering any detriment.

If you choose to withdraw your consent, the organisation can no longer rely on consent as the lawful basis for the processing. The organisation will need to stop any processing that was based on consent as soon as possible. 

It should be as easy for you to withdraw consent as it was to give it. This means the process of withdrawing consent should be an easily accessible one-step process. If possible, you should be able to withdraw your consent using the same method as when you gave it.

Finally, if you wish for a third party to act on your behalf and withdraw your consent, you’ll need to demonstrate to the organisation that the third party has the authority from you to do so.